CSRF filter in Play doesn't allow custom token generator #1734
Comments
|
Hi @brikis98, I'll look at restoring this functionality today. |
|
Note that the reason we switched to signed tokens is to address the BREACH security vulnerability. |
|
Thanks @jroper. Can you provide a bit more info about how the signed token helps deal with BREACH? |
|
The signed token randomises the token value on each request, making it impossible to character by character ascertain what it is using a BREACH style exploit. You're vulnerable if you're using SSL with HTTP level gzip encoding. |
|
Hm, perhaps I'm misreading the code, but it like a new token isn't generated on each request, but only if the request doesn't already have one: } else if (getTokenFromHeader(request, tokenName, cookieName).isEmpty && createIfNotFound(request)) {
// No token in header and we have to create one if not found, so create a new token
val newToken = Crypto.generateSignedToken
} |
|
The raw token itself is generated once per session. However, the token is resigned on each use, see: Hence the signed token is random per request, but the raw token it's generated from is static. |
|
Ah, gotcha. Thanks for the detailed explanation. |
* Fixes playframework#1734, custom token generator feature reinstatement * Fixes playframework#1728, ensured CSRFFilter can be instantiated without a running application * Added a csrf.sign.tokens conifguration option to switch between default CSRF token providers, either signed or unsigned. * Abstracted tests so they can be run on many different permutations of configuration * Added documentation about all the different configuration options This commit breaks binary compatibility, the CSRFFilter constructor parameters are now not lazy, and CSRFFilter is no longer a case class, so many of the methods it used to provide are no longer there. This was deemed necessary because the intended use of CSRFFilter, ie: object Global extends WithFilters(CSRFFilter()) with GlobalSettings was not possible with the old constructor. The constructor is however still source compatible for most use cases. Since that constructor is intentionally breaking binary compatibility, new parameters that were added for custom token generation and configuration signing were added without consideration for binary compatibility, only source compatibility.
For the last year or so, we've been using the CSRF filter originally created by @jto. This filter allowed the user to specify a custom token generator, which is important if your deployment includes other (non-play) apps that read your token and expect it to use a specific format.
We're upgrading to Play 2.2 and it looks like the CSRFAction class does not support a pluggable generator: it is just hard-coded to use
Crypto.generateSignedToken. Would there be any objections to us submitting a pull request to addtokenGenerator: => Stringas a constructor parameter ofCSRFActionandCSRFFilter? We could set the default value toCrypto.generateSignedToken, so it would be backwards compatible, while still allowing an injection point for this custom behavior.The text was updated successfully, but these errors were encountered: